pe3zx pe3zx

## cmpv.ps1
$AutomaticVariables = Get-Variable
function cmpv {
    Compare-Object (Get-Variable) $AutomaticVariables -Property Name -PassThru | Where -Property Name -ne "AutomaticVariables"
}

## MAZE_Group_1.json
{
	"name": "MAZE Group 1",
	"version": "2.2",
	"domain": "mitre-enterprise",
	"description": "",
	"filters": {
		"stages": [
			"act"
		],
		"platforms": [

## malware_carriers_hunting.yar
// any Office document with macros.
rule macro_hunter
{
    strings:
        $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
        $macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
        $macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
    condition:
        new_file and (
            tags contains "macros" or (

## disable_windows_defender.bat
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

## unpacking.py
import sys
import binascii
import struct
from ctypes import Union, Structure, c_int, c_long, c_ushort, c_uint, c_short
from collections import namedtuple
from pprint import pprint

# struct timestamp_entry {
#     unsigned short version;     /* version number */
#     unsigned short size;        /* entry size */

## misp.conf
<VirtualHost *:443>
    ServerName misp.local
    DocumentRoot /var/www/MISP/app/webroot

    <Directory /var/www/MISP/app/webroot>
        Options -Indexes
        AllowOverride all
        Order allow,deny
        allow from all
    </Directory>

## keybase.md

      
        
          
            
              
              1 file
            
          
          
            
              
              0 forks
            
          
          
            
              
              0 comments
            
          
          
            
              
              0 stars
            
          
        
        
          
              
          
          
            
                pe3zx
                / keybase.md
            
            
              Last active Dec 13, 2018
            
          
        
      
        
    
      View keybase.md
  
    
  
    Keybase proof
I hereby claim:

I am pe3zx on github.
I am pe3z (https://keybase.io/pe3z) on keybase.
I have a public key ASAU2yKbpXrwC7sNTh3-BoTC9V9qgbdHXH_LIVbhIf_rcQo

To claim this, I am signing this object:
	$AutomaticVariables = Get-Variable
	function cmpv {
	Compare-Object (Get-Variable) $AutomaticVariables -Property Name -PassThru \| Where -Property Name -ne "AutomaticVariables"
	}
	{
	"name": "MAZE Group 1",
	"version": "2.2",
	"domain": "mitre-enterprise",
	"description": "",
	"filters": {
	"stages": [
	"act"
	],
	"platforms": [
	// any Office document with macros.
	rule macro_hunter
	{
	strings:
	$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
	$macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
	$macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
	condition:
	new_file and (
	tags contains "macros" or (
	rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
	rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
	rem To also disable Windows Defender Security Center include this
	rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
	rem 1 - Disable Real-time protection
	reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
	import sys
	import binascii
	import struct
	from ctypes import Union, Structure, c_int, c_long, c_ushort, c_uint, c_short
	from collections import namedtuple
	from pprint import pprint

	# struct timestamp_entry {
	# unsigned short version; /* version number */
	# unsigned short size; /* entry size */
	<VirtualHost *:443>
	ServerName misp.local
	DocumentRoot /var/www/MISP/app/webroot

	<Directory /var/www/MISP/app/webroot>
	Options -Indexes
	AllowOverride all
	Order allow,deny
	allow from all
	</Directory>